Does anyone here know about this thing, or has done any forensics on it?

Trusteer Rapport is a bit of software pushed out by banks to secure their on-line banking platforms. It claims to totally prevent trojan and man-in-the-middle attacks as well as claiming that it buries itself so far in the OS kernel that it can outwit keyloggers. My cursory 'Net research turns up the usual crowd of complainers, but in this case with some justification. it does not appear in Add/Remove Programs, it sets the Temporary Internet Files folder/contents to "hidden" and "read-only", and it appears to amass a pile of data in Docs & Settings\%User%\Application Data. From a regulatory perspective these behaviors worry me, and one of my institutions is using this software.

Thanks in advance.

If the Earth were flat, cats would have pushed everything off of it by now.

Can't comment on the effectiveness of the software (haven't used it). It might be very effective and for some organizations worth the cost (albeit the cited article says Zeus already knows how to work around it).

Security is a tradeoff against usability. Each of us have our own acceptable threshold for that and getting burned generally causes the tolerance to discomfort to increase immensely.

That being said, I start to draw the line at security programs that are excited about the fact they are essentially rootkits. Again - it might work great - but you now have an extra variable in terms of support when evaluating the abilty of that branch to migrate to updated or new software. To be more succinct, who knows how much software compatibility that tool will break. This reads ripe for nasty interactions with OS patches and service packs especially. Change management is a hard job, this doesn't read like software that gonna do you any favors.

All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.

That being said, I start to draw the line at security programs that are excited about the fact they are essentially rootkits. Again - it might work great - but you now have an extra variable in terms of support when evaluating the abilty of that branch to migrate to updated or new software. To be more succinct, who knows how much software compatibility that tool will break. This reads ripe for nasty interactions with OS patches and service packs especially. Change management is a hard job, this doesn't read like software that gonna do you any favors.

And that's my issue. I just learned of this thing a couple of days ago and don't know if the bank in question requires accepting this thing in order to maintain an online banking relationship. If the program is a requirement, I've got a massive number of regulatory questions as the rootkit nature of this thing implies massive reputation risk issues on the part of the bank, especially given how the vendor advertises that they burrow deep into the kernel.

One thing's for sure, this thing is sneaky. I was first made aware of it earlier this week when my boss asked me about it based on something funky he'd seen on his office PC's screen. A check of Task Manager showed 2 separate unkillable processes. This is on a fully-managed work PC with full Active Directory controls over program installation and a hardcore enterprise-level Sophos installation that won't let me run CCleaner, but never burped once about this thing.

No sir, I don't like it.

[/rubs chin with hoof]

If the Earth were flat, cats would have pushed everything off of it by now.

Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

That's what I was thinking as well. If my financial institution required it, I'd be required to change financial institutions. And I say that as someone who very much loves his credit union.

I do not understand what I do. For what I want to do I do not do, but what I hate I do.

I'm waiting for the day when banks distribute a secure virtual machine based on Linux or OpenBSD, containing only enough to run a web browser and a software updater, and require that for online banking.

Are you saying this bank might be requiring its regular customers to install this on their own PCs in order to do online banking with them? There aren't too many things that would get me off my lazy ass to switch banks, but that certainly would do it.

I don't know that at the moment, but can guarantee that it's moved to the top of my to-do list.

As for e-banking security, the best way is to deliver confirmations through an alternate channel, i.e. text-capable cellphone. You enter a transaction and the e-banking platform immediately sends a confirmation request with a single-use code to the text-enabled (or better) cellphone you listed when you signed up for e-banking. Enter the one-time code and the transaction is completed.

If the Earth were flat, cats would have pushed everything off of it by now.

It doesn't care if you're admin or not, 'cause it is. This is in a full AD environment with no user-level privileges to install anything. We configured a box with a Sophos definition file specifically set to stop this thing. Sophos never blinked and let it run.

Folks, if your financial institution asks you to install this, quickly decline. If they require you to install it, find a new financial institution.

EDIT: Revised Sophos definitions now work.

If the Earth were flat, cats would have pushed everything off of it by now.

The Unrestricted access level simply means the program runs with the rights of the user. This is not a smoking gun of misdeed.

One of the rules of SRP allows for controlling the use of programs through a Certificate. This too is not a smoking gun of misdeed.

This does not mean that the program is not vile. The above just isn't evidence to prove it.

Hmm, that only adds to the confusion. The individual in question does not have sufficient user rights under current GPO to install ANY software, yet it installed. The install log does not identify the certificate provider, so that seems to be the next line of inquiry.

If the Earth were flat, cats would have pushed everything off of it by now.

Does anyone here know about this thing, or has done any forensics on it?

Trusteer Rapport is a bit of software pushed out by banks to secure their on-line banking platforms. It claims to totally prevent trojan and man-in-the-middle attacks as well as claiming that it buries itself so far in the OS kernel that it can outwit keyloggers. My cursory 'Net research turns up the usual crowd of complainers, but in this case with some justification. it does not appear in Add/Remove Programs, it sets the Temporary Internet Files folder/contents to "hidden" and "read-only", and it appears to amass a pile of data in Docs & Settings\%User%\Application Data. From a regulatory perspective these behaviors worry me, and one of my institutions is using this software.

Thanks in advance.

I have it on my computer and it does appear in Add/Remove Programs. The only thing it seems to do is stop me leaving the bank website if I have a password in copy and paste.

Will definitely be keeping an eye out for this in the future. If your antimalware tools can't see it, they sure can't see if it's infected. Have you tried looking for it with rootkit revelear (or similar)?

thegleek wrote:

What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.

Unless you're an online banking customer with BoA or some other institution that mandates its use, you probably (hopefully) don't have it.

Will definitely be keeping an eye out for this in the future. If your antimalware tools can't see it, they sure can't see if it's infected. Have you tried looking for it with rootkit revelear (or similar)?

thegleek wrote:

What is it called exactly under add/remove programs? Am I looking for "Trusteer Rapport" or some other company? I can't seem to find this anywhere on my Win7 x64 computer.

Unless you're an online banking customer with BoA or some other institution that mandates its use, you probably (hopefully) don't have it.

UPDATE:

After review, and after review of my office server configs, I'm almost OK with this beastie. The non-public docs (those provided to customers) say all the right things. My claim of installing over GPO restrictions is temporarily in abeyance as we review exactly how GPO restrictions and .MSI objects interrelate. Our policy is to block them but they're not getting blocked, and it's not just this piece of software.

On a non-domain XPSP3 box I have verified that it shows in Add/Remove Programs and can be uninstalled from an admin login. The only trick is that you have to stop the underlying service before running uninstall (again from an admin login), otherwise it sees the removal attempt as malware-generated. Once the service is stopped it happily and completely uninstalls.

As I said above, my guess is that the conflict between our mis-configured domain policy and the installer for this is the reason we didn't see it in Add/Remove Programs.

Once we've settled that mess, I'll Wireshark it and see if, how, why, and what it phones home for/with.

If the Earth were flat, cats would have pushed everything off of it by now.

Almost 13 years later, and this thing is still around.As of last year, SunTrust bank requires their institutional clients (I work at one) to install this program before they can access their account.My only issues with this so far are one, you can't stop the process, and two, you can't uninstall it like you can with other programs. I don't trust anything that I can't stop and uninstall.

A (young) customer's rather old laptop was misbehaving. Upon investigation I identified a number of bits of software that were either downright suspect or of dubious value. I have been aware for some time that Rapport falls into one or both of those categories and so after said customer denied having installed it, I tried to remove it following Rapport's own guidelines. That'll be http://www.trusteer.com/support/uninstalling-rapport (NB: Trusteer Rapport) which advises using Control Panel to remove it in the normal way.

Surprise surpise:... "files are locked by another software" (is this Ingrish or what??)... problem persists, please see this site ...troubleshoot_uninstall.

Off I go. Ah! They have an application to download that will uninstall it. No, wait. only after a lengthy, slightly intimidating and patronising form filling exercise that goes to some support wonks who will, if the mood takes them, let me have it!!!! Who owns this PC?? Who do they think they are??

So I'm waiting for a reply from these <expletive>s

In the mean time, is there a safe place to download this removal application ahead of being told by some wonk that I need to try A, B, C etc before they allow the *owner* of the PC to remove their unwanted software?